SRX

Hello.

I have a quite annoying problem. The most annoying thing about it is that it's somewhat erratic. For some users the VPN always works, but some report that the VPN gets properly connected but no traffic is coming through. And even for those clients for whom it doesn't work it happens to work sometimes (after some five, ten or twenty reconnections).

On the VPN server's side everything looks ok. The SA's are created, the dynvpn users are reported as connected, even show security flow session for client's IP shows traffic (both directions!). But the traffic does not show on client's machine. So, for example, the ping shows no response even though flow session on the SRX shows traffic counters in both directions.

What's most puzzling about it is that it happens only for some clients (and I cannot find any common factor here) and not always, so I have no clue how to debug it. To make things harder - on my laptop everything works perfectly OK.

For example, the same user that reports VPN "not working" from his virtual machine with Windows 10 says that it's working perfectly OK from his linux host (via patched vpnc client). I think that only Windows 10 machines are troubled with this issue but not all of them. My fresh "debug" instance which I installed lately specificaly for troubeshooting this problem (normaly I use W8.1) works OK. I thought that maybe it has something to do with McAfee agent on users' laptops but my W10 also has it and still works good.

So I'm completely stuck.

If anyone has any idea what might be causing this... Or at least where to start looking.

 

Relevant excerpts from config:

 

security {
    ike {
        policy Dyn-vpn-P3 {
            mode aggressive;
            proposal-set standard;
            pre-shared-key ascii-text "edited out"; 
        }
        gateway dyn-vpn-local-test-gw {
            ike-policy Dyn-vpn-P3;
            dynamic {
                hostname vpngw;
                ike-user-type group-ike-id;
            }
            external-interface ge-0/0/0.0;
            aaa {
                access-profile vpn-ldap;
            }
        }
    ipsec {
        policy test-dyn-vpn-policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposal-set standard;
        }
        vpn test-dyn-vpn {
            ike {
                gateway dyn-vpn-local-test-gw;
                ipsec-policy test-dyn-vpn-policy;
            }
        }
    }
    alg {
        dns disable;
        ftp disable;
        msrpc disable;
        sunrpc disable;
        rtsp disable;
        talk disable;
        tftp disable;
        pptp disable;
        ike-esp-nat {
            enable;
        }
    }
    dynamic-vpn {
        access-profile vpn-ldap;
        clients {
            OFFICE {
                remote-protected-resources {
                    172.16.100.0/24;
                    10.0.0.0/24;
                }
                ipsec-vpn test-dyn-vpn;
                user-groups {
                    G-VPN_Office;
                }
            }
            ENG {
                remote-protected-resources {
                    10.0.0.0/24;
                    172.16.0.0/16;
                    10.0.3.0/24;
                }
                ipsec-vpn test-dyn-vpn;
                user-groups {
                    G-VPN_Eng;
                }
            }
            all {
                remote-protected-resources {
                    192.168.10.0/24;
                    10.0.0.0/24;
                    172.16.0.0/24;
                    10.0.3.0/24;
                    172.16.100.0/24;
                }
                ipsec-vpn test-dyn-vpn;
                user-groups {
                    G-VPN;
                    G-VPNLAB;
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    policies {
        from-zone OUTSIDE to-zone junos-host {
            policy IPSec-VPN {
                match {
                    source-address any;
                    destination-address IP-external;
                    application [ junos-ike junos-ike-nat isakmp junos-https esp esp-nat-t ];
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }
        }
        from-zone OUTSIDE to-zone SRV {
            policy VPN-access-SRV {
                match {
                    source-address VPN-clients-POOL1; 
                    destination-address NET-SRV;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }
        }
        from-zone OUTSIDE to-zone LAB {
            policy LAB-VPN-access {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn test-dyn-vpn;
                        }
                    }
                    count;
                }
            }
        }
[...] (there are more specific entries from zone OUTSIDE to various internal zones permitting traffic from VPN-clients-POOL1)
        default-policy {
            deny-all;
        }
    }
        security-zone OUTSIDE {
            host-inbound-traffic {
                system-services {
                    ike;
                    ping;
                    https;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
    }
}
access {
    profile vpn-ldap {
        authentication-order ldap;
        address-assignment {
            pool VPN-POOL;
        }
        ldap-options {
            base-distinguished-name dc=whatever,dc=com;
            search {
                search-filter samaccountname=;
                admin-search {
                    distinguished-name cn=edited out;
                    password "edited out"; ## SECRET-DATA
                }
            }
        }
        ldap-server {
            10.0.0.12;
        }
    }
    address-assignment {
        pool VPN-POOL {
            family inet {
                network 10.0.222.0/24;
                range POOL1 {
                    low 10.0.222.11;
                    high 10.0.222.200;
                }
                xauth-attributes {
                    primary-dns 10.0.0.12/32;
                    secondary-dns 10.0.0.13/32;
                }
            }
        }
    }
    firewall-authentication {
        pass-through {
            default-profile vpn-ldap;
        }
        web-authentication {
            default-profile vpn-ldap;
        }
    }
}

Hi Elmiatero,

 

There is an ongoing issue with the Pulse software causing the problem you mentioned. The problem was introduced in Windows version 1802 if I am not mistaken, please check you Windows version. Also try the connection from a Windows version lower then 1802 and confirm if the problem goes away. As of now there is nothing that can be done on the SRX side and a fix from Pulse secure is pending.

 

I believe you are experiencing this issue because you mentioned it works via Linux. Could that be your workaround for the meantime? 

 

 

See the document made avaialble by Juniper today:

 

https://kb.juniper.net/InfoCenter/index?page=content&id=TSB17441&actp=METADATA#

 

 

Article is in review and not yet ready for viewing

 

Seems I have to wait few more days.

But I see that I'm not the only one with the problem and it hopefuly gets resolved soon.

 

I am sure Juniper and Pulse are doing everything possible to fix this situation because as you said, you are not the only one with this problem. Check, from time to time, the TSB document that I previously provided, it will be updated when the solution is delivered.

 

I hope this info was helpful, please mark it as Resolved if it applies. 

 

 

 

elmiatero,

 

Can you disable Windows Defender service and try again? I believe this has been confirmed to be a workaround. (or an incompatibility between Pulse and this service)

 

 

It seems I cannot find such named service in polish edition of Windows. 🙂 Do you have the "short name" of the service? The one I can use with net stop? But as we also tend to use McAfee agent on workstations I'm afraid I might not be able to do so anyway 😕 (but the Agent itself never caused such problems with VPN and in win8.1 with McAfee agent VPN is working OK).

Did you ever get resolution to this?  I am running exactly into that!

This issue is still active (TSB17441) and we are expecting some fix for this issue this quarter (Q2).

 

You may check NCP client as an alternative.

It takes too long. We had 3rd Q of 2019 and no resolution over 1 year. Juniper and Pulse do nothing with this problem.

Only change what We have is empty promisses at article TSB17441 and changing MONTH at:

 

Pulse Secure LLC continues to investigate technical issue related to Dynamic VPN connections to SRX with next update planned September 2019.

Dozens of our customers can't accept this situation.

 

NCP is not a solution. License are more expensive then new Fortigate firewall i.e. It's rediculus. 

 

Someone have any other solution or hear something positive about this situation?

A client update has been released:  https://kb.juniper.net/InfoCenter/index?page=content&id=TSB17441&act=login

100% broken connections so far in my testing.  Curious to see if this update helps other people. 

After applying the changes from this doc my testing now has a 100% success rate.

https://kb.juniper.net/InfoCenter/index?page=content&id=TSB17441&act=login

That link was added to the TSB17441 page in December incase anybody missed it.

That link doesn't work for me. Do you have a working link? 

 

Thanks